服务关联角色
更新时间:
可信云服务可以通过RAM角色扮演的方式访问其他云服务的资源。可信实体为阿里云服务的RAM角色,包括普通服务角色和服务关联角色。在某些场景下,函数计算为了完成自身的某个功能,需要获取其他云服务的访问权限,因此,函数计算创建了与云服务关联的角色,即服务关联角色AliyunServiceRoleForFC。函数计算3.0支持AliyunServiceRoleForFC和FaaS函数的绑定,实现最小授权范围内授予函数访问其他云服务的权限。
注意事项
首次登录函数计算控制台用户,需授权自动创建目标服务的服务关联角色,才能在函数计算中完成相应的功能。
服务关联角色删除后,事件总线EventBridge将无法发布事件到对应的阿里云服务,请谨慎操作。如需再次使用相关功能,则需重新创建该角色。具体操作,请参见创建服务关联角色。
AliyunServiceRoleForFC
服务关联角色AliyunServiceRoleForFC可以获取访问专有网络 VPC、云服务器 ECS、日志服务 SLS(Simple Log Service)和容器镜像服务等云资源的权限,以实现函数VPC互通、镜像下载、资源回收和日志导出等功能。
服务关联角色AliyunServiceRoleForFC被授予权限策略AliyunServiceRolePolicyForFC,该权限策略的内容如下。
{
"Version": "1",
"Statement": [
{
"Action": [
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVpcAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"cr:PullRepository",
"cr:GetArtifactTag",
"cr:GetAuthorizationToken",
"cr:GetRepository",
"cr:GetRepositoryTag",
"cr:GetRepoTagManifest",
"cr:GetRepositoryManifest",
"cr:GetInstanceVpcEndpoint",
"cr:GetInstance",
"cr:GetNamespace",
"cr:GetArtifactBuildRule",
"cr:CreateArtifactBuildTask"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"fc:InvokeFunction",
"eventbridge:PutEvents",
"mq:PUB",
"mq:OnsInstanceBaseInfo",
"mns:SendMessage",
"mns:PublishMessage",
"fnf:ReportTaskSucceeded",
"fnf:ReportTaskFailed"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"log:CreateProject",
"log:CreateLogStore",
"log:GetProject",
"log:GetLogStore",
"log:DeleteProject",
"log:DeleteLogStore",
"log:GetLogStoreLogs"
],
"Resource": [
"acs:log:*:*:project/aliyun-fc-*",
"acs:log:*:*:project/*/logstore/function-log*"
],
"Effect": "Allow"
},
{
"Action": [
"log:PostLogStoreLogs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:GetRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": "fc.aliyuncs.com"
}
}
}
]
}
反馈
- 本页导读 (1)
文档反馈